1382 lines
44 KiB
Diff
1382 lines
44 KiB
Diff
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-1.29.2/scripts/chcat
|
|
--- nsapolicycoreutils/scripts/chcat 2005-12-14 14:16:50.000000000 -0500
|
|
+++ policycoreutils-1.29.2/scripts/chcat 2005-12-22 16:29:28.000000000 -0500
|
|
@@ -39,11 +39,11 @@
|
|
print("Can not modify sensitivity levels using '+' on %s" % f)
|
|
|
|
if len(clist) > 1:
|
|
- cats=clist[1].split(",")
|
|
- if cat in cats:
|
|
+ if cat in clist[1:]:
|
|
print "%s is already in %s" % (f, orig)
|
|
continue
|
|
- cats.append(cat)
|
|
+ clist.append(cat)
|
|
+ cats=clist[1:]
|
|
cats.sort()
|
|
cat_string=cats[0]
|
|
for c in cats[1:]:
|
|
@@ -73,14 +73,13 @@
|
|
continue
|
|
|
|
if len(clist) > 1:
|
|
- cats=clist[1].split(",")
|
|
- if cat not in cats:
|
|
+ if cat not in clist[1:]:
|
|
print "%s is not in %s" % (f, orig)
|
|
continue
|
|
- cats.remove(cat)
|
|
- if len(cats) > 0:
|
|
- cat=cats[0]
|
|
- for c in cats[1:]:
|
|
+ clist.remove(cat)
|
|
+ if len(clist) > 1:
|
|
+ cat=clist[1]
|
|
+ for c in clist[2:]:
|
|
cat="%s,%s" % (cat, c)
|
|
else:
|
|
cat=""
|
|
@@ -91,7 +90,7 @@
|
|
if len(cat) == 0:
|
|
cmd='chcon -l %s %s' % (sensitivity, f)
|
|
else:
|
|
- cmd='chcon -l %s:%s %s' % (sensitivity, cat, f)
|
|
+ cmd='chcon -l %s:%s %s' % (sensitivity,cat, f)
|
|
rc=commands.getstatusoutput(cmd)
|
|
if rc[0] != 0:
|
|
print rc[1]
|
|
@@ -101,18 +100,17 @@
|
|
def chcat_replace(orig, newcat, files):
|
|
errors=0
|
|
if len(newcat) == 1:
|
|
- if newcat[0][0] == "s" and newcat[0][1:].isdigit() and int(newcat[0][1:]) in range(0,16):
|
|
- sensitivity=newcat[0]
|
|
- cmd='chcon -l %s ' % newcat[0]
|
|
- else:
|
|
- cmd='chcon -l s0:%s ' % newcat[0]
|
|
+ sensitivity=newcat[0]
|
|
+ cmd='chcon -l %s ' % newcat[0]
|
|
else:
|
|
sensitivity=newcat[0]
|
|
- cat=newcat[1]
|
|
- cmd='chcon -l %s:%s ' % (sensitivity, cat)
|
|
+ cmd='chcon -l %s:%s' % (sensitivity, newcat[1])
|
|
+ for cat in newcat[2:]:
|
|
+ cmd='%s,%s' % (cmd, cat)
|
|
|
|
for f in files:
|
|
cmd = "%s %s" % (cmd, f)
|
|
+
|
|
rc=commands.getstatusoutput(cmd)
|
|
if rc[0] != 0:
|
|
print rc[1]
|
|
@@ -134,44 +132,73 @@
|
|
raise ValueError("Can not combine +/- with other types of categories")
|
|
return replace_ind
|
|
|
|
+def isSensitivity(sensitivity):
|
|
+ if sensitivity[0] == "s" and sensitivity[1:].isdigit() and int(sensitivity[1:]) in range(0,16):
|
|
+ return 1
|
|
+ else:
|
|
+ return 0
|
|
+
|
|
+def expandCats(cats):
|
|
+ newcats=[]
|
|
+ for c in cats:
|
|
+ if c.find(".") != -1:
|
|
+ c=c.split(".")
|
|
+ for i in range(int(c[0][1:]), int(c[1][1:])+1):
|
|
+ x=("c%d" % i)
|
|
+ if x not in newcats:
|
|
+ newcats.append("c%d" % i)
|
|
+ else:
|
|
+ for i in c.split(","):
|
|
+ if i not in newcats:
|
|
+ newcats.append(i)
|
|
+ return newcats
|
|
+
|
|
def translate(cats):
|
|
newcat=[]
|
|
+ if len(cats) == 0:
|
|
+ newcat.append("s0")
|
|
+ return newcat
|
|
for c in cats:
|
|
(rc, raw) = selinux.selinux_trans_to_raw_context("a:b:c:%s" % c)
|
|
rlist=raw.split(":")[3:]
|
|
- if len(rlist) > 1:
|
|
- if len(newcat) == 0:
|
|
- newcat.append(rlist[0])
|
|
- else:
|
|
- if newcat[0] != rlist[0]:
|
|
- raise ValueError("Can not have multiple sensitivities")
|
|
- newcat.append(rlist[1])
|
|
- else:
|
|
- if rlist[0][0] == "s" and rlist[0][1:].isdigit() and int(rlist[0][1:]) in range(0,16):
|
|
-
|
|
- if len(newcat) == 0:
|
|
- newcat.append(rlist[0])
|
|
- else:
|
|
- if newcat[0] != rlist[0]:
|
|
- raise ValueError("Can not have multiple sensitivities")
|
|
- else:
|
|
- if len(newcat) == 0:
|
|
- newcat.append("s0")
|
|
- else:
|
|
- if newcat[0] != "s0":
|
|
- raise ValueError("Can not have multiple sensitivities")
|
|
- newcat.append(rlist[0])
|
|
-
|
|
+ tlist=[]
|
|
+ if isSensitivity(rlist[0])==0:
|
|
+ tlist.append("s0")
|
|
+ for i in expandCats(rlist):
|
|
+ tlist.append(i)
|
|
+ else:
|
|
+ tlist.append(rlist[0])
|
|
+ for i in expandCats(rlist[1:]):
|
|
+ tlist.append(i)
|
|
+ if len(newcat) == 0:
|
|
+ newcat.append(tlist[0])
|
|
+ else:
|
|
+ if newcat[0] != tlist[0]:
|
|
+ raise ValueError("Can not have multiple sensitivities")
|
|
+ for i in tlist[1:]:
|
|
+ newcat.append(i)
|
|
return newcat
|
|
|
|
def usage():
|
|
print "Usage %s CATEGORY File ..." % sys.argv[0]
|
|
print "Usage %s [[+|-]CATEGORY],...]q File ..." % sys.argv[0]
|
|
print "Usage %s -d File ..." % sys.argv[0]
|
|
+ print "Usage %s -l" % sys.argv[0]
|
|
print "Use -- to end option list. For example"
|
|
print "chcat -- -CompanyConfidential /docs/businessplan.odt."
|
|
sys.exit(1)
|
|
|
|
+def listcats():
|
|
+ fd = open(selinux.selinux_translations_path())
|
|
+ for l in fd.read().split("\n"):
|
|
+ if l.startswith("#"):
|
|
+ continue
|
|
+ if l.find("=")!=-1:
|
|
+ rec=l.split("=")
|
|
+ print "%-30s %s" % tuple(rec)
|
|
+ fd.close()
|
|
+ return 0
|
|
+
|
|
def error(msg):
|
|
print "%s: %s" % (sys.argv[0], msg)
|
|
sys.exit(1)
|
|
@@ -184,10 +211,12 @@
|
|
error("Requires an SELinux enabled system")
|
|
|
|
delete_ind=0
|
|
+ list_ind=0
|
|
try:
|
|
gopts, cmds = getopt.getopt(sys.argv[1:],
|
|
- 'dh',
|
|
- ['help',
|
|
+ 'dhl',
|
|
+ ['list',
|
|
+ 'help',
|
|
'delete'])
|
|
|
|
for o,a in gopts:
|
|
@@ -195,8 +224,10 @@
|
|
usage()
|
|
if o == "-d" or o == "--delete":
|
|
delete_ind=1
|
|
+ if o == "-l" or o == "--list":
|
|
+ list_ind=1
|
|
|
|
- if len(cmds) < 1:
|
|
+ if list_ind==0 and len(cmds) < 1:
|
|
usage()
|
|
except:
|
|
usage()
|
|
@@ -204,6 +235,8 @@
|
|
if delete_ind:
|
|
sys.exit(chcat_replace(["s0"], ["s0"], cmds))
|
|
|
|
+ if list_ind:
|
|
+ sys.exit(listcats())
|
|
|
|
if len(cmds) < 2:
|
|
usage()
|
|
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/chcat.8 policycoreutils-1.29.2/scripts/chcat.8
|
|
--- nsapolicycoreutils/scripts/chcat.8 2005-12-08 12:52:47.000000000 -0500
|
|
+++ policycoreutils-1.29.2/scripts/chcat.8 2005-12-22 16:29:28.000000000 -0500
|
|
@@ -11,6 +11,9 @@
|
|
.B chcat
|
|
[\fI-d\fR] \fIFILE\fR...
|
|
.br
|
|
+.B chcat
|
|
+[\fI-l\fR]
|
|
+.br
|
|
.PP
|
|
Change/Remove the security CATEGORY for each FILE.
|
|
.PP
|
|
@@ -18,6 +21,9 @@
|
|
.TP
|
|
\fB\-d\fR
|
|
delete the category from each file.
|
|
+.TP
|
|
+\fB\-l\fR
|
|
+list available categories.
|
|
.SH "SEE ALSO"
|
|
.TP
|
|
chcon(1), selinux(8)
|
|
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-1.29.2/scripts/fixfiles
|
|
--- nsapolicycoreutils/scripts/fixfiles 2005-10-13 13:51:22.000000000 -0400
|
|
+++ policycoreutils-1.29.2/scripts/fixfiles 2005-12-30 08:17:05.000000000 -0500
|
|
@@ -62,8 +62,8 @@
|
|
TEMPFILE=`mktemp ${FC}.XXXXXXXXXX`
|
|
test -z "$TEMPFILE" && exit
|
|
PREFCTEMPFILE=`mktemp ${PREFC}.XXXXXXXXXX`
|
|
- sed -r -e 's,:s0, ,g' $PREFC > ${PREFCTEMPFILE}
|
|
- sed -r -e 's,:s0, ,g' $FC | \
|
|
+ sed -r -e 's,:s0, ,g' $PREFC | sort -u > ${PREFCTEMPFILE}
|
|
+ sed -r -e 's,:s0, ,g' $FC | sort -u | \
|
|
/usr/bin/diff -b ${PREFCTEMPFILE} - | \
|
|
grep '^[<>]'|cut -c3-| grep ^/ | \
|
|
egrep -v '(^/home|^/root|^/tmp|^/dev)' |\
|
|
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon policycoreutils-1.29.2/scripts/genhomedircon
|
|
--- nsapolicycoreutils/scripts/genhomedircon 2005-12-07 07:28:00.000000000 -0500
|
|
+++ policycoreutils-1.29.2/scripts/genhomedircon 2005-12-27 08:54:19.000000000 -0500
|
|
@@ -1,4 +1,4 @@
|
|
-#! /usr/bin/env python
|
|
+#! /usr/bin/python
|
|
# Copyright (C) 2004 Tresys Technology, LLC
|
|
# see file 'COPYING' for use and warranty information
|
|
#
|
|
@@ -26,64 +26,73 @@
|
|
#
|
|
#
|
|
|
|
-import commands, sys, os, pwd, string, getopt, re
|
|
+import sys, os, pwd, string, getopt, re
|
|
from semanage import *;
|
|
|
|
-fd=open("/etc/shells", 'r')
|
|
-VALID_SHELLS=fd.read().split('\n')
|
|
-fd.close()
|
|
-if "/sbin/nologin" in VALID_SHELLS:
|
|
- VALID_SHELLS.remove("/sbin/nologin")
|
|
+try:
|
|
+ fd=open("/etc/shells", 'r')
|
|
+ VALID_SHELLS=fd.read().split('\n')
|
|
+ fd.close()
|
|
+ if "/sbin/nologin" in VALID_SHELLS:
|
|
+ VALID_SHELLS.remove("/sbin/nologin")
|
|
+except:
|
|
+ VALID_SHELLS = ['/bin/sh', '/bin/bash', '/bin/ash', '/bin/bsh', '/bin/ksh', '/usr/bin/ksh', '/usr/bin/pdksh', '/bin/tcsh', '/bin/csh', '/bin/zsh']
|
|
+
|
|
+def findval(file, var, delim=""):
|
|
+ val=""
|
|
+ try:
|
|
+ fd=open(file, 'r')
|
|
+ for i in fd.read().split('\n'):
|
|
+ if i.startswith(var) == 1:
|
|
+ if delim == "":
|
|
+ val = i.split()[1]
|
|
+ else:
|
|
+ val = i.split(delim)[1]
|
|
+ val = val.split("#")[0]
|
|
+ val = val.strip()
|
|
+ fd.close()
|
|
+ except:
|
|
+ val=""
|
|
+ return val
|
|
|
|
def getStartingUID():
|
|
starting_uid = sys.maxint
|
|
- rc=commands.getstatusoutput("grep -h '^UID_MIN' /etc/login.defs")
|
|
- if rc[0] == 0:
|
|
- uid_min = re.sub("^UID_MIN[^0-9]*", "", rc[1])
|
|
- #stip any comment from the end of the line
|
|
+ uid_min= findval("/etc/login.defs", "UID_MIN")
|
|
+ if uid_min != "":
|
|
uid_min = uid_min.split("#")[0]
|
|
uid_min = uid_min.strip()
|
|
if int(uid_min) < starting_uid:
|
|
starting_uid = int(uid_min)
|
|
- rc=commands.getstatusoutput("grep -h '^LU_UIDNUMBER' /etc/libuser.conf")
|
|
- if rc[0] == 0:
|
|
- lu_uidnumber = re.sub("^LU_UIDNUMBER[^0-9]*", "", rc[1])
|
|
- #stip any comment from the end of the line
|
|
- lu_uidnumber = re.sub("[ \t].*", "", lu_uidnumber)
|
|
- lu_uidnumber = lu_uidnumber.split("#")[0]
|
|
- lu_uidnumber = lu_uidnumber.strip()
|
|
- if int(lu_uidnumber) < starting_uid:
|
|
- starting_uid = int(lu_uidnumber)
|
|
+
|
|
+ uid_min= findval("/etc/libuser.conf", "LU_UIDNUMBER", "=")
|
|
+ if uid_min != "":
|
|
+ uid_min = uid_min.split("#")[0]
|
|
+ uid_min = uid_min.strip()
|
|
+ if int(uid_min) < starting_uid:
|
|
+ starting_uid = int(uid_min)
|
|
+
|
|
if starting_uid == sys.maxint:
|
|
starting_uid = 500
|
|
return starting_uid
|
|
|
|
def getDefaultHomeDir():
|
|
ret = []
|
|
- rc=commands.getstatusoutput("grep -h '^HOME' /etc/default/useradd")
|
|
- if rc[0] == 0:
|
|
- homedir = rc[1].split("=")[1]
|
|
- homedir = homedir.split("#")[0]
|
|
- homedir = homedir.strip()
|
|
- if not homedir in ret:
|
|
- ret.append(homedir)
|
|
-
|
|
- rc=commands.getstatusoutput("grep -h '^LU_HOMEDIRECTORY' /etc/libuser.conf")
|
|
- if rc[0] == 0:
|
|
- homedir = rc[1].split("=")[1]
|
|
- homedir = homedir.split("#")[0]
|
|
- homedir = homedir.strip()
|
|
- if not homedir in ret:
|
|
- ret.append(homedir)
|
|
-
|
|
+ homedir=findval("/etc/default/useradd", "HOME", "=")
|
|
+ if homedir != "" and not homedir in ret:
|
|
+ ret.append(homedir)
|
|
+
|
|
+ homedir=findval("/etc/libuser.conf", "LU_HOMEDIRECTORY", "=")
|
|
+ if homedir != "" and not homedir in ret:
|
|
+ ret.append(homedir)
|
|
+
|
|
if ret == []:
|
|
ret.append("/home")
|
|
return ret
|
|
|
|
def getSELinuxType(directory):
|
|
- rc=commands.getstatusoutput("grep ^SELINUXTYPE= %s/config" % directory)
|
|
- if rc[0]==0:
|
|
- return rc[1].split("=")[-1].strip()
|
|
+ val=findval(directory+"/config", "SELINUXTYPE", "=")
|
|
+ if val != "":
|
|
+ return val
|
|
return "targeted"
|
|
|
|
def usage(error = ""):
|
|
@@ -129,11 +138,17 @@
|
|
return self.getFileContextDir()+"/homedir_template"
|
|
|
|
def getHomeRootContext(self, homedir):
|
|
- rc=commands.getstatusoutput("grep HOME_ROOT %s | sed -e \"s|^HOME_ROOT|%s|\"" % ( self.getHomeDirTemplate(), homedir))
|
|
- if rc[0] == 0:
|
|
- return rc[1]+"\n"
|
|
- else:
|
|
- errorExit("sed error %s" % rc[1])
|
|
+ ret=""
|
|
+ fd=open(self.getHomeDirTemplate(), 'r')
|
|
+
|
|
+ for i in fd.read().split('\n'):
|
|
+ if i.find("HOME_ROOT") == 0:
|
|
+ i=i.replace("HOME_ROOT", homedir)
|
|
+ ret = i+"\n"
|
|
+ fd.close()
|
|
+ if ret=="":
|
|
+ errorExit("No Home Root Context Found")
|
|
+ return ret
|
|
|
|
def heading(self):
|
|
ret = "\n#\n#\n# User-specific file contexts, generated via %s\n" % sys.argv[0]
|
|
@@ -152,32 +167,40 @@
|
|
return "user_r"
|
|
return name
|
|
def getOldRole(self, role):
|
|
- rc = commands.getstatusoutput('grep "^user %s" %s' % (role, self.selinuxdir+self.type+"/users/system.users"))
|
|
- if rc[0] != 0:
|
|
- rc = commands.getstatusoutput('grep "^user %s" %s' % (role, self.selinuxdir+self.type+"/users/local.users"))
|
|
- if rc[0] == 0:
|
|
- user=rc[1].split()
|
|
+ rc=findval(self.selinuxdir+self.type+"/users/system.users", 'grep "^user %s"' % role, "=")
|
|
+ if rc == "":
|
|
+ rc=findval(self.selinuxdir+self.type+"/users/local.users", 'grep "^user %s"' % role, "=")
|
|
+ if rc != "":
|
|
+ user=rc.split()
|
|
role = user[3]
|
|
if role == "{":
|
|
role = user[4]
|
|
return role
|
|
|
|
def adduser(self, udict, user, seuser, role):
|
|
+ if seuser == "user_u" or user == "__default__":
|
|
+ return
|
|
+ # !!! chooses first role in the list to use in the file context !!!
|
|
+ if role[-2:] == "_r" or role[-2:] == "_u":
|
|
+ role = role[:-2]
|
|
try:
|
|
- if seuser == "user_u" or user == "__default__":
|
|
- return
|
|
- # !!! chooses first role in the list to use in the file context !!!
|
|
- if role[-2:] == "_r" or role[-2:] == "_u":
|
|
- role = role[:-2]
|
|
home = pwd.getpwnam(user)[5]
|
|
if home == "/":
|
|
- return
|
|
- prefs = {}
|
|
- prefs["role"] = role
|
|
- prefs["home"] = home
|
|
- udict[seuser] = prefs
|
|
+ # Probably install so hard code to /root
|
|
+ if user == "root":
|
|
+ home="/root"
|
|
+ else:
|
|
+ return
|
|
except KeyError:
|
|
- sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % user)
|
|
+ if user == "root":
|
|
+ home = "/root"
|
|
+ else:
|
|
+ sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % user)
|
|
+ return
|
|
+ prefs = {}
|
|
+ prefs["role"] = role
|
|
+ prefs["home"] = home
|
|
+ udict[seuser] = prefs
|
|
|
|
def getUsers(self):
|
|
udict = {}
|
|
@@ -190,30 +213,50 @@
|
|
self.adduser(udict, semanage_seuser_get_name(seuser), seusername, self.defaultrole(seusername))
|
|
|
|
else:
|
|
- rc = commands.getstatusoutput("grep -v '^ *#' %s" % self.selinuxdir+self.type+"/seusers")
|
|
- if rc[0] == 0 and rc[1] != "":
|
|
- ulist = rc[1].split("\n")
|
|
- for u in ulist:
|
|
- if len(u)==0:
|
|
+ try:
|
|
+ fd =open(self.selinuxdir+self.type+"/seusers")
|
|
+ for u in fd.read().split('\n'):
|
|
+ u=u.strip()
|
|
+ if len(u)==0 or u[0]=="#":
|
|
continue
|
|
user = u.split(":")
|
|
if len(user) < 3:
|
|
continue
|
|
role=self.getOldRole(user[1])
|
|
self.adduser(udict, user[0], user[1], role)
|
|
+ fd.close()
|
|
+ except IOError, error:
|
|
+ # Must be install so force add of root
|
|
+ self.adduser(udict, "root", "root", "root")
|
|
+
|
|
return udict
|
|
|
|
def getHomeDirContext(self, user, home, role):
|
|
ret="\n\n#\n# Home Context for user %s\n#\n\n" % user
|
|
- rc=commands.getstatusoutput("grep '^HOME_DIR' %s | sed -e 's|HOME_DIR|%s|' -e 's/ROLE/%s/' -e 's/system_u/%s/'" % (self.getHomeDirTemplate(), home, role, user))
|
|
- return ret + rc[1] + "\n"
|
|
+ fd=open(self.getHomeDirTemplate(), 'r')
|
|
+ for i in fd.read().split('\n'):
|
|
+ if i.startswith("HOME_DIR") == 1:
|
|
+ i=i.replace("HOME_DIR", home)
|
|
+ i=i.replace("ROLE", role)
|
|
+ i=i.replace("system_u", user)
|
|
+ ret = ret+i+"\n"
|
|
+ fd.close()
|
|
+ return ret
|
|
|
|
def getUserContext(self, user, sel_user, role):
|
|
- rc=commands.getstatusoutput("grep 'USER' %s | sed -e 's/USER/%s/' -e 's/ROLE/%s/' -e 's/system_u/%s/'" % (self.getHomeDirTemplate(), user, role, sel_user))
|
|
- return rc[1] + "\n"
|
|
+ ret=""
|
|
+ fd=open(self.getHomeDirTemplate(), 'r')
|
|
+ for i in fd.read().split('\n'):
|
|
+ if i.find("USER") == 1:
|
|
+ i=i.replace("USER", user)
|
|
+ i=i.replace("ROLE", role)
|
|
+ i=i.replace("system_u", sel_user)
|
|
+ ret=ret+i+"\n"
|
|
+ fd.close()
|
|
+ return ret
|
|
|
|
def genHomeDirContext(self):
|
|
- if commands.getstatusoutput("grep -q 'ROLE' %s" % self.getHomeDirTemplate())[0] == 0 and self.semanaged:
|
|
+ if self.semanaged and findval(self.getHomeDirTemplate(), "ROLE", "=") != "":
|
|
warning("genhomedircon: Warning! No support yet for expanding ROLE macros in the %s file when using libsemanage." % self.getHomeDirTemplate());
|
|
warning("genhomedircon: You must manually update file_contexts.homedirs for any non-user_r users (including root).");
|
|
users = self.getUsers()
|
|
@@ -225,40 +268,23 @@
|
|
return ret+"\n"
|
|
|
|
def checkExists(self, home):
|
|
- if commands.getstatusoutput("grep -E '^%s[^[:alnum:]_-]' %s" % (home, self.getFileContextFile()))[0] == 0:
|
|
- return 0
|
|
- #this works by grepping the file_contexts for
|
|
- # 1. ^/ makes sure this is not a comment
|
|
- # 2. prints only the regex in the first column first cut on \t then on space
|
|
- rc=commands.getstatusoutput("grep \"^/\" %s | cut -f 1 | cut -f 1 -d \" \" " % self.getFileContextFile() )
|
|
- if rc[0] == 0:
|
|
- prefix_regex = rc[1].split("\n")
|
|
- else:
|
|
- warning("%s\nYou do not have access to read %s\n" % (rc[1], self.getFileContextFile()))
|
|
-
|
|
- exists=1
|
|
- for regex in prefix_regex:
|
|
- #match a trailing (/*)? which is actually a bug in rpc_pipefs
|
|
- regex = re.sub("\(/\*\)\?$", "", regex)
|
|
- #match a trailing .+
|
|
- regex = re.sub("\.+$", "", regex)
|
|
- #match a trailing .*
|
|
- regex = re.sub("\.\*$", "", regex)
|
|
- #strip a (/.*)? which matches anything trailing to a /*$ which matches trailing /'s
|
|
- regex = re.sub("\(\/\.\*\)\?", "", regex)
|
|
- regex = regex + "/*$"
|
|
- if re.search(regex, home, 0):
|
|
- exists = 0
|
|
- break
|
|
- if exists == 1:
|
|
- return 1
|
|
- else:
|
|
- return 0
|
|
-
|
|
+ fd=open(self.getFileContextFile())
|
|
+ for i in fd.read().split('\n'):
|
|
+ if len(i)==0:
|
|
+ return
|
|
+ regex=i.split()[0]
|
|
+ #match a trailing .+
|
|
+ regex = re.sub("\.+$", "", regex)
|
|
+ regex = re.sub("\.\*$", "", regex)
|
|
+ #strip a (/.*)? which matches anything trailing to a /*$ which matches trailing /'s
|
|
+ regex = re.sub("\(\/\.\*\)\?", "", regex)
|
|
+ regex = regex + "/*$"
|
|
+ if re.search(home, regex, 0):
|
|
+ return 1
|
|
+ return 0
|
|
|
|
def getHomeDirs(self):
|
|
- homedirs = []
|
|
- homedirs = homedirs + getDefaultHomeDir()
|
|
+ homedirs = getDefaultHomeDir()
|
|
starting_uid=getStartingUID()
|
|
if self.usepwd==0:
|
|
return homedirs
|
|
@@ -270,8 +296,8 @@
|
|
string.count(u[5], "/") > 1:
|
|
homedir = u[5][:string.rfind(u[5], "/")]
|
|
if not homedir in homedirs:
|
|
- if self.checkExists(homedir)==0:
|
|
- warning("%s homedir %s or its parent directoy conflicts with a\ndefined context in %s,\n%s will not create a new context." % (u[0], u[5], self.getFileContextFile(), sys.argv[0]))
|
|
+ if self.checkExists(homedir)==1:
|
|
+ warning("%s homedir %s or its parent directory conflicts with a\ndefined context in %s,\n%s will not create a new context." % (u[0], u[5], self.getFileContextFile(), sys.argv[0]))
|
|
else:
|
|
homedirs.append(homedir)
|
|
|
|
@@ -333,7 +359,3 @@
|
|
|
|
except getopt.error, error:
|
|
errorExit("Options Error %s " % error)
|
|
-except ValueError, error:
|
|
- errorExit("ValueError %s" % error)
|
|
-except IndexError, error:
|
|
- errorExit("IndexError")
|
|
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/selisteners policycoreutils-1.29.2/scripts/selisteners
|
|
--- nsapolicycoreutils/scripts/selisteners 1969-12-31 19:00:00.000000000 -0500
|
|
+++ policycoreutils-1.29.2/scripts/selisteners 2005-12-22 16:29:28.000000000 -0500
|
|
@@ -0,0 +1,37 @@
|
|
+#! /usr/bin/env python
|
|
+# Copyright (C) 2005 Red Hat
|
|
+# see file 'COPYING' for use and warranty information
|
|
+#
|
|
+# listeners - this script finds all processes listening on a TCP or UDP Port
|
|
+# configuration entries for user home directories based on their
|
|
+# default roles and is run when building the policy. Specifically, we
|
|
+# replace HOME_ROOT, HOME_DIR, and ROLE macros in .fc files with
|
|
+# generic and user-specific values.
|
|
+#
|
|
+# Based off original script by Dan Walsh, <dwalsh@redhat.com>
|
|
+#
|
|
+# ASSUMPTIONS:
|
|
+#
|
|
+# The file CONTEXTDIR/files/homedir_template exists. This file is used to
|
|
+# set up the home directory context for each real user.
|
|
+#
|
|
+# If a user has more than one role, genhomedircon uses the first role in the list.
|
|
+#
|
|
+# If a user is not listed in CONTEXTDIR/seusers, he will default to user_u, role user
|
|
+#
|
|
+# "Real" users (as opposed to system users) are those whose UID is greater than
|
|
+# or equal STARTING_UID (usually 500) and whose login is not a member of
|
|
+# EXCLUDE_LOGINS. Users who are explicitly defined in CONTEXTDIR/seusers
|
|
+# are always "real" (including root, in the default configuration).
|
|
+#
|
|
+#
|
|
+import commands, string
|
|
+import selinux
|
|
+rc=commands.getstatusoutput("netstat -aptul")
|
|
+out=rc[1].split("\n")
|
|
+for i in out:
|
|
+ x=i.split()
|
|
+ y=x[-1].split("/")
|
|
+ if len(y)==2:
|
|
+ pid=string.atoi(y[0])
|
|
+ print "%s %-40s %-10s\t%-20s\t%s" % (x[0], x[3], pid,y[1],selinux.getpidcon(pid)[1])
|
|
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/tests/chcat_test policycoreutils-1.29.2/scripts/tests/chcat_test
|
|
--- nsapolicycoreutils/scripts/tests/chcat_test 1969-12-31 19:00:00.000000000 -0500
|
|
+++ policycoreutils-1.29.2/scripts/tests/chcat_test 2005-12-22 16:29:28.000000000 -0500
|
|
@@ -0,0 +1,43 @@
|
|
+#!/bin/sh -x
|
|
+#
|
|
+# You must copy the setrans.conf file in place before testing
|
|
+#
|
|
+chcat -l
|
|
+rm -f /tmp/chcat_test
|
|
+touch /tmp/chcat_test
|
|
+chcat -d /tmp/chcat_test
|
|
+chcat -d /tmp/chcat_test
|
|
+chcat -- -Payroll /tmp/chcat_test
|
|
+ls -lZ /tmp/chcat_test
|
|
+chcat -- +Payroll /tmp/chcat_test
|
|
+ls -lZ /tmp/chcat_test
|
|
+chcat -- -Payroll /tmp/chcat_test
|
|
+ls -lZ /tmp/chcat_test
|
|
+chcat Payroll,Marketing /tmp/chcat_test
|
|
+ls -lZ /tmp/chcat_test
|
|
+chcat -- +Payroll /tmp/chcat_test
|
|
+ls -lZ /tmp/chcat_test
|
|
+chcat -- Payroll /tmp/chcat_test
|
|
+ls -lZ /tmp/chcat_test
|
|
+chcat -- -Payroll,+Marketing /tmp/chcat_test
|
|
+ls -lZ /tmp/chcat_test
|
|
+chcat -- +Payroll,-Marketing /tmp/chcat_test
|
|
+ls -lZ /tmp/chcat_test
|
|
+chcat -- -Payroll,+Marketing,+NDA_Yoyodyne /tmp/chcat_test
|
|
+ls -lZ /tmp/chcat_test
|
|
+chcat -- -Marketing,-NDA_Yoyodyne /tmp/chcat_test
|
|
+ls -lZ /tmp/chcat_test
|
|
+chcat -- -s0 /tmp/chcat_test
|
|
+ls -lZ /tmp/chcat_test
|
|
+chcat -- s0 /tmp/chcat_test
|
|
+ls -lZ /tmp/chcat_test
|
|
+chcat -- s0:c1 /tmp/chcat_test
|
|
+ls -lZ /tmp/chcat_test
|
|
+chcat -- s0:c1,c2 /tmp/chcat_test
|
|
+ls -lZ /tmp/chcat_test
|
|
+chcat -- s0:c1.c3 /tmp/chcat_test
|
|
+ls -lZ /tmp/chcat_test
|
|
+chcat -- -s0:c3 /tmp/chcat_test
|
|
+ls -lZ /tmp/chcat_test
|
|
+chcat -- -s0:c2,+c3 /tmp/chcat_test
|
|
+ls -lZ /tmp/chcat_test
|
|
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/tests/setrans.conf policycoreutils-1.29.2/scripts/tests/setrans.conf
|
|
--- nsapolicycoreutils/scripts/tests/setrans.conf 1969-12-31 19:00:00.000000000 -0500
|
|
+++ policycoreutils-1.29.2/scripts/tests/setrans.conf 2005-12-22 16:29:28.000000000 -0500
|
|
@@ -0,0 +1,23 @@
|
|
+#
|
|
+# Multi-Category Security translation table for SELinux
|
|
+#
|
|
+# Uncomment the following to disable translation libary
|
|
+# disable=1
|
|
+#
|
|
+# Objects can be categorized with 0-256 categories defined by the admin.
|
|
+# Objects can be in more than one category at a time.
|
|
+# Categories are stored in the system as c0-c255. Users can use this
|
|
+# table to translate the categories into a more meaningful output.
|
|
+# Examples:
|
|
+# s0:c0=CompanyConfidential
|
|
+# s0:c1=PatientRecord
|
|
+# s0:c2=Unclassified
|
|
+# s0:c3=TopSecret
|
|
+# s0:c1,c3=CompanyConfidentialRedHat
|
|
+s0=
|
|
+s0-s0:c0.c255=SystemLow-SystemHigh
|
|
+s0:c0.c255=SystemHigh
|
|
+s0:c0=Company_Confidential
|
|
+s0:c1=Marketing
|
|
+s0:c2=Payroll
|
|
+s0:c3=NDA_Yoyodyne
|
|
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-1.29.2/semanage/semanage
|
|
--- nsapolicycoreutils/semanage/semanage 2005-11-29 10:55:01.000000000 -0500
|
|
+++ policycoreutils-1.29.2/semanage/semanage 2005-12-27 15:13:34.000000000 -0500
|
|
@@ -24,22 +24,33 @@
|
|
from semanage import *;
|
|
class loginRecords:
|
|
def __init__(self):
|
|
- self.sh=semanage_handle_create()
|
|
- self.semanaged=semanage_is_managed(self.sh)
|
|
+ self.sh = semanage_handle_create()
|
|
+ self.semanaged = semanage_is_managed(self.sh)
|
|
if self.semanaged:
|
|
semanage_connect(self.sh)
|
|
|
|
def add(self, name, sename, serange):
|
|
- (rc,k)=semanage_seuser_key_create(self.sh, name)
|
|
- (rc,exists)= semanage_seuser_exists(self.sh, k)
|
|
+ if serange == "":
|
|
+ serange = "s0"
|
|
+ if sename == "":
|
|
+ sename = "user_u"
|
|
+
|
|
+ (rc,k) = semanage_seuser_key_create(self.sh, name)
|
|
+ if rc != 0:
|
|
+ raise ValueError("Could not create a key for %s" % name)
|
|
+
|
|
+ (rc,exists) = semanage_seuser_exists(self.sh, k)
|
|
if exists:
|
|
raise ValueError("SELinux User %s mapping already defined" % name)
|
|
try:
|
|
- pwd.getpwname(name)
|
|
+ pwd.getpwnam(name)
|
|
except:
|
|
raise ValueError("Linux User %s does not exist" % name)
|
|
|
|
- (rc,u)= semanage_seuser_create(self.sh)
|
|
+ (rc,u) = semanage_seuser_create(self.sh)
|
|
+ if rc != 0:
|
|
+ raise ValueError("Could not create seuser for %s" % name)
|
|
+
|
|
semanage_seuser_set_name(self.sh, u, name)
|
|
semanage_seuser_set_mlsrange(self.sh, u, serange)
|
|
semanage_seuser_set_sename(self.sh, u, sename)
|
|
@@ -48,13 +59,22 @@
|
|
if semanage_commit(self.sh) != 0:
|
|
raise ValueError("Failed to add SELinux user mapping")
|
|
|
|
- def modify(self, name, sename="", serange=""):
|
|
- (rc,k)=semanage_seuser_key_create(self.sh, name)
|
|
- (rc,u)= semanage_seuser_query(self.sh, k)
|
|
- if rc !=0 :
|
|
- raise ValueError("SELinux user %s mapping is not defined." % name)
|
|
- if sename == "" and serange=="":
|
|
+ def modify(self, name, sename = "", serange = ""):
|
|
+ (rc,k) = semanage_seuser_key_create(self.sh, name)
|
|
+ if rc != 0:
|
|
+ raise ValueError("Could not create a key for %s" % name)
|
|
+
|
|
+ if sename == "" and serange == "":
|
|
raise ValueError("Requires, seuser or serange")
|
|
+
|
|
+ (rc,exists) = semanage_seuser_exists(self.sh, k)
|
|
+ if exists:
|
|
+ (rc,u) = semanage_seuser_query(self.sh, k)
|
|
+ if rc != 0:
|
|
+ raise ValueError("Could not query seuser for %s" % name)
|
|
+ else:
|
|
+ raise ValueError("SELinux user %s mapping is not defined." % name)
|
|
+
|
|
if serange != "":
|
|
semanage_seuser_set_mlsrange(self.sh, u, serange)
|
|
if sename != "":
|
|
@@ -66,78 +86,107 @@
|
|
|
|
|
|
def delete(self, name):
|
|
- (rc,k)=semanage_seuser_key_create(self.sh, name)
|
|
- (rc,exists)= semanage_seuser_exists(self.sh, k)
|
|
- if rc !=0 :
|
|
+ (rc,k) = semanage_seuser_key_create(self.sh, name)
|
|
+ if rc != 0:
|
|
+ raise ValueError("Could not create a key for %s" % name)
|
|
+
|
|
+ (rc,exists) = semanage_seuser_exists(self.sh, k)
|
|
+ if not exists:
|
|
raise ValueError("SELinux user %s mapping is not defined." % name)
|
|
semanage_begin_transaction(self.sh)
|
|
semanage_seuser_del(self.sh, k)
|
|
if semanage_commit(self.sh) != 0:
|
|
raise ValueError("SELinux User %s mapping not defined" % name)
|
|
|
|
- def list(self):
|
|
- print "\n%-25s %-25s %-25s\n" % ("Login Name", "SELinux User", "MLS/MCS Range")
|
|
+ def list(self,heading=1):
|
|
+ if heading:
|
|
+ print "\n%-25s %-25s %-25s\n" % ("Login Name", "SELinux User", "MLS/MCS Range")
|
|
(status, self.ulist, self.usize) = semanage_seuser_list(self.sh)
|
|
for idx in range(self.usize):
|
|
- u=semanage_seuser_by_idx(self.ulist, idx)
|
|
- name=semanage_seuser_get_name(u)
|
|
-
|
|
+ u = semanage_seuser_by_idx(self.ulist, idx)
|
|
+ name = semanage_seuser_get_name(u)
|
|
print "%-25s %-25s %-25s" % (name, semanage_seuser_get_sename(u), semanage_seuser_get_mlsrange(u))
|
|
|
|
class seluserRecords:
|
|
def __init__(self):
|
|
- roles=[]
|
|
- self.sh=semanage_handle_create()
|
|
- self.semanaged=semanage_is_managed(self.sh)
|
|
+ roles = []
|
|
+ self.sh = semanage_handle_create()
|
|
+ self.semanaged = semanage_is_managed(self.sh)
|
|
if self.semanaged:
|
|
semanage_connect(self.sh)
|
|
|
|
def add(self, name, roles, selevel, serange):
|
|
- (rc,k)=semanage_user_key_create(self.sh, name)
|
|
- (rc,exists)= semanage_user_exists(self.sh, k)
|
|
- if exists:
|
|
- raise ValueError("Seuser %s already defined" % name)
|
|
- (rc,u)= semanage_user_create(self.sh)
|
|
+ if serange == "":
|
|
+ serange = "s0"
|
|
+ if selevel == "":
|
|
+ selevel = "s0"
|
|
+
|
|
+ (rc,k) = semanage_user_key_create(self.sh, name)
|
|
+ if rc != 0:
|
|
+ raise ValueError("Could not create a key for %s" % name)
|
|
+
|
|
+ (rc,exists) = semanage_user_exists_local(self.sh, k)
|
|
+ if not exists:
|
|
+ (rc,exists) = semanage_user_exists(self.sh, k)
|
|
+ if not exists:
|
|
+ raise ValueError("SELinux user %s is already defined." % name)
|
|
+
|
|
+ (rc,u) = semanage_user_create(self.sh)
|
|
+ if rc != 0:
|
|
+ raise ValueError("Could not create login mapping for %s" % name)
|
|
+
|
|
semanage_user_set_name(self.sh, u, name)
|
|
for r in roles:
|
|
semanage_user_add_role(self.sh, u, r)
|
|
semanage_user_set_mlsrange(self.sh, u, serange)
|
|
semanage_user_set_mlslevel(self.sh, u, selevel)
|
|
(rc,key) = semanage_user_key_extract(self.sh,u)
|
|
+ if rc != 0:
|
|
+ raise ValueError("Could not extract key for %s" % name)
|
|
+
|
|
semanage_begin_transaction(self.sh)
|
|
semanage_user_add_local(self.sh, k, u)
|
|
if semanage_commit(self.sh) != 0:
|
|
raise ValueError("Failed to add SELinux user")
|
|
|
|
- self.dict[name]=seluser(name, roles, selevel, serange)
|
|
-
|
|
- def modify(self, name, roles=[], selevel="", serange=""):
|
|
- (rc,k)=semanage_user_key_create(self.sh, name)
|
|
- (rc,exists)= semanage_user_exists(self.sh, k)
|
|
- if not exists:
|
|
- raise ValueError("user %s is not defined" % name)
|
|
- (rc,u)= semanage_user_query(self.sh, k)
|
|
- if rc !=0 :
|
|
- raise ValueError("User %s is not defined." % name)
|
|
- if len(roles) == 0 and serange=="" and selevel=="":
|
|
+ def modify(self, name, roles = [], selevel = "", serange = ""):
|
|
+ if len(roles) == 0 and serange == "" and selevel == "":
|
|
raise ValueError("Requires, roles, level or range")
|
|
+
|
|
+ (rc,k) = semanage_user_key_create(self.sh, name)
|
|
+ if rc != 0:
|
|
+ raise ValueError("Could not create a key for %s" % name)
|
|
+
|
|
+ (rc,exists) = semanage_user_exists_local(self.sh, k)
|
|
+ if exists:
|
|
+ (rc,u) = semanage_user_query_local(self.sh, k)
|
|
+ else:
|
|
+ (rc,exists) = semanage_user_exists(self.sh, k)
|
|
+ if exists:
|
|
+ (rc,u) = semanage_user_query(self.sh, k)
|
|
+ else:
|
|
+ raise ValueError("SELinux user %s mapping is not defined." % name)
|
|
+ if rc != 0:
|
|
+ raise ValueError("Could not query user for %s" % name)
|
|
+
|
|
if serange != "":
|
|
semanage_user_set_mlsrange(self.sh, u, serange)
|
|
if selevel != "":
|
|
semanage_user_set_mlslevel(self.sh, u, selevel)
|
|
if len(roles) != 0:
|
|
for r in roles:
|
|
- print r
|
|
semanage_user_add_role(self.sh, u, r)
|
|
semanage_begin_transaction(self.sh)
|
|
semanage_user_modify_local(self.sh, k, u)
|
|
if semanage_commit(self.sh) != 0:
|
|
raise ValueError("Failed to modify SELinux user")
|
|
-
|
|
|
|
def delete(self, name):
|
|
- (rc,k)=semanage_user_key_create(self.sh, name)
|
|
- (rc,exists)= semanage_user_exists(self.sh, k)
|
|
+ (rc,k) = semanage_user_key_create(self.sh, name)
|
|
+ if rc != 0:
|
|
+ raise ValueError("Could not crpppeate a key for %s" % name)
|
|
+
|
|
+ (rc,exists) = semanage_user_exists_local(self.sh, k)
|
|
if not exists:
|
|
raise ValueError("user %s is not defined" % name)
|
|
semanage_begin_transaction(self.sh)
|
|
@@ -145,86 +194,183 @@
|
|
if semanage_commit(self.sh) != 0:
|
|
raise ValueError("Login User %s not defined" % name)
|
|
|
|
- def list(self):
|
|
- print "\n%-15s %-10s %-20s" % ("", "MLS/", "MLS/")
|
|
- print "%-15s %-10s %-15s %-20s\n" % ("SELinux User", "MCS Level", "MCS Range", "SELinux Roles")
|
|
+ def list(self, heading=1):
|
|
+ if heading:
|
|
+ print "\n%-15s %-10s %-20s" % ("", "MLS/", "MLS/")
|
|
+ print "%-15s %-10s %-15s %-20s\n" % ("SELinux User", "MCS Level", "MCS Range", "SELinux Roles")
|
|
(status, self.ulist, self.usize) = semanage_user_list(self.sh)
|
|
for idx in range(self.usize):
|
|
- u=semanage_user_by_idx(self.ulist, idx)
|
|
- name=semanage_user_get_name(u)
|
|
+ u = semanage_user_by_idx(self.ulist, idx)
|
|
+ name = semanage_user_get_name(u)
|
|
(status, rlist, rlist_size) = semanage_user_get_roles(self.sh, u)
|
|
- roles=""
|
|
+ roles = ""
|
|
|
|
if rlist_size:
|
|
- roles+=char_by_idx(rlist, 0)
|
|
+ roles += char_by_idx(rlist, 0)
|
|
for ridx in range (1,rlist_size):
|
|
- roles+=" " + char_by_idx(rlist, ridx)
|
|
+ roles += " " + char_by_idx(rlist, ridx)
|
|
print "%-15s %-10s %-15s %s" % (semanage_user_get_name(u), semanage_user_get_mlslevel(u), semanage_user_get_mlsrange(u), roles)
|
|
|
|
class portRecords:
|
|
def __init__(self):
|
|
- self.dict={}
|
|
- self.sh=semanage_handle_create()
|
|
- self.semanaged=semanage_is_managed(self.sh)
|
|
+ self.sh = semanage_handle_create()
|
|
+ self.semanaged = semanage_is_managed(self.sh)
|
|
if self.semanaged:
|
|
semanage_connect(self.sh)
|
|
|
|
- def add(self, name, type):
|
|
- (rc,k)=semanage_port_key_create(self.sh, name)
|
|
- (rc,exists)= semanage_port_exists(self.sh, k)
|
|
+ def __genkey(self, port, proto):
|
|
+ if proto == "tcp":
|
|
+ proto_d=SEMANAGE_PROTO_TCP
|
|
+ else:
|
|
+ if proto == "udp":
|
|
+ proto_d=SEMANAGE_PROTO_UDP
|
|
+ else:
|
|
+ raise ValueError("Protocol udp or tcp is required")
|
|
+ if port == "":
|
|
+ raise ValueError("Port is required")
|
|
+
|
|
+ ports=port.split("-")
|
|
+ if len(ports) == 1:
|
|
+ low=string.atoi(ports[0])
|
|
+ high=string.atoi(ports[0])
|
|
+ else:
|
|
+ low=string.atoi(ports[0])
|
|
+ high=string.atoi(ports[1])
|
|
+
|
|
+ (rc,k) = semanage_port_key_create(self.sh, low, high, proto_d)
|
|
+ if rc != 0:
|
|
+ raise ValueError("Could not create a key for %s/%s" % (proto, port))
|
|
+ return ( k, proto_d, low, high )
|
|
+
|
|
+ def add(self, port, proto, serange, type):
|
|
+ if serange == "":
|
|
+ serange="s0"
|
|
+
|
|
+ if type == "":
|
|
+ raise ValueError("Type is required")
|
|
+
|
|
+ ( k, proto_d, low, high ) = self.__genkey(port, proto)
|
|
+
|
|
+ (rc,exists) = semanage_port_exists(self.sh, k)
|
|
+ if exists:
|
|
+ raise ValueError("Port %s/%s already defined" % (proto, port))
|
|
+
|
|
+ (rc,exists) = semanage_port_exists_local(self.sh, k)
|
|
if exists:
|
|
- raise ValueError("User %s already defined" % name)
|
|
- (rc,u)= semanage_port_create(self.sh)
|
|
- semanage_port_set_name(self.sh, u, name)
|
|
- semanage_port_set_mlsrange(self.sh, u, serange)
|
|
- semanage_port_set_sename(self.sh, u, sename)
|
|
+ raise ValueError("Port %s/%s already defined locally" % (proto, port))
|
|
+
|
|
+ (rc,p) = semanage_port_create(self.sh)
|
|
+ if rc != 0:
|
|
+ raise ValueError("Could not create port for %s/%s" % (proto, port))
|
|
+
|
|
+ semanage_port_set_proto(p, proto_d)
|
|
+ semanage_port_set_range(p, low, high)
|
|
+ (rc, con) = semanage_context_create(self.sh)
|
|
+ if rc != 0:
|
|
+ raise ValueError("Could not create context for %s/%s" % (proto, port))
|
|
+
|
|
+ semanage_context_set_user(self.sh, con, "system_u")
|
|
+ semanage_context_set_role(self.sh, con, "object_r")
|
|
+ semanage_context_set_type(self.sh, con, type)
|
|
+ semanage_context_set_mls(self.sh, con, serange)
|
|
+ semanage_port_set_con(p, con)
|
|
semanage_begin_transaction(self.sh)
|
|
- semanage_port_add(self.sh, k, u)
|
|
+ semanage_port_add_local(self.sh, k, p)
|
|
if semanage_commit(self.sh) != 0:
|
|
raise ValueError("Failed to add port")
|
|
|
|
- def modify(self, name, type):
|
|
- (rc,k)=semanage_port_key_create(self.sh, name)
|
|
- (rc,u)= semanage_port_query(self.sh, k)
|
|
- if rc !=0 :
|
|
- raise ValueError("User %s is not defined." % name)
|
|
- if sename == "" and serange=="":
|
|
- raise ValueError("Requires, port or serange")
|
|
+ def modify(self, port, proto, serange, setype):
|
|
+ if serange == "" and setype == "":
|
|
+ raise ValueError("Requires, setype or serange")
|
|
+
|
|
+ ( k, proto_d, low, high ) = self.__genkey(port, proto)
|
|
+
|
|
+ (rc,exists) = semanage_port_exists_local(self.sh, k)
|
|
+ if exists:
|
|
+ (rc,p) = semanage_port_query_local(self.sh, k)
|
|
+ (rc,exists) = semanage_port_exists(self.sh, k)
|
|
+ if exists:
|
|
+ (rc,p) = semanage_port_query(self.sh, k)
|
|
+ else:
|
|
+ raise ValueError("port %s/%s is not defined." % (proto,port))
|
|
+
|
|
+ if rc != 0:
|
|
+ raise ValueError("Could not query port for %s/%s" % (proto, port))
|
|
+
|
|
+ con = semanage_port_get_con(p)
|
|
+ semanage_context_set_mls(self.sh, con, serange)
|
|
if serange != "":
|
|
- semanage_port_set_mlsrange(self.sh, u, serange)
|
|
- if sename != "":
|
|
- semanage_port_set_sename(self.sh, u, sename)
|
|
+ semanage_context_set_mls(self.sh, con, serange)
|
|
+ if setype != "":
|
|
+ semanage_context_set_type(self.sh, con, setype)
|
|
+ semanage_port_set_con(p, con)
|
|
semanage_begin_transaction(self.sh)
|
|
- semanage_port_modify(self.sh, k, u)
|
|
+ semanage_port_modify_local(self.sh, k, p)
|
|
if semanage_commit(self.sh) != 0:
|
|
raise ValueError("Failed to add port")
|
|
|
|
- def delete(self, name):
|
|
- (rc,k)=semanage_port_key_create(self.sh, name)
|
|
+ def delete(self, port, proto):
|
|
+ ( k, proto_d, low, high ) = self.__genkey(port, proto)
|
|
+ (rc,exists) = semanage_port_exists_local(self.sh, k)
|
|
+ if not exists:
|
|
+ raise ValueError("port %s/%s is not defined localy." % (proto,port))
|
|
+
|
|
semanage_begin_transaction(self.sh)
|
|
- semanage_port_del(self.sh, k)
|
|
+ semanage_port_del_local(self.sh, k)
|
|
if semanage_commit(self.sh) != 0:
|
|
- raise ValueError("Port %s not defined" % name)
|
|
+ raise ValueError("Port %s/%s not defined" % (proto,port))
|
|
|
|
- def list(self):
|
|
+ def list(self, heading=1):
|
|
(status, self.plist, self.psize) = semanage_port_list(self.sh)
|
|
- print "%-25s %s\n" % ("SELinux Port Name", "Port Number")
|
|
+ if heading:
|
|
+ print "%-30s %-8s %s\n" % ("SELinux Port Name", "Proto", "Port Number")
|
|
+ dict={}
|
|
+ for idx in range(self.psize):
|
|
+ u = semanage_port_by_idx(self.plist, idx)
|
|
+ con = semanage_port_get_con(u)
|
|
+ name = semanage_context_get_type(con)
|
|
+ proto=semanage_port_get_proto_str(u)
|
|
+ low=semanage_port_get_low(u)
|
|
+ high = semanage_port_get_high(u)
|
|
+ if (name, proto) not in dict.keys():
|
|
+ dict[(name,proto)]=[]
|
|
+ if low == high:
|
|
+ dict[(name,proto)].append("%d" % low)
|
|
+ else:
|
|
+ dict[(name,proto)].append("%d-%d" % (low, high))
|
|
+ (status, self.plist, self.psize) = semanage_port_list_local(self.sh)
|
|
for idx in range(self.psize):
|
|
- u=semanage_port_by_idx(self.plist, idx)
|
|
- name=semanage_port_get_name(u)
|
|
- print "%20s %d" % ( name, semanage_port_get_number(u))
|
|
+ u = semanage_port_by_idx(self.plist, idx)
|
|
+ con = semanage_port_get_con(u)
|
|
+ name = semanage_context_get_type(con)
|
|
+ proto=semanage_port_get_proto_str(u)
|
|
+ low=semanage_port_get_low(u)
|
|
+ high = semanage_port_get_high(u)
|
|
+ if (name, proto) not in dict.keys():
|
|
+ dict[(name,proto)]=[]
|
|
+ if low == high:
|
|
+ dict[(name,proto)].append("%d" % low)
|
|
+ else:
|
|
+ dict[(name,proto)].append("%d-%d" % (low, high))
|
|
+ for i in dict.keys():
|
|
+ rec = "%-30s %-8s " % i
|
|
+ rec += "%s" % dict[i][0]
|
|
+ for p in dict[i][1:]:
|
|
+ rec += ", %s" % p
|
|
+ print rec
|
|
|
|
if __name__ == '__main__':
|
|
|
|
- def usage(message=""):
|
|
+ def usage(message = ""):
|
|
print '\
|
|
semanage user [-admsRrh] SELINUX_USER\n\
|
|
semanage login [-admsrh] LOGIN_NAME\n\
|
|
-semanage port [-admth] SELINUX_PORT_NAME\n\
|
|
+semanage port [-admth] PORT | PORTRANGE\n\
|
|
-a, --add Add a OBJECT record NAME\n\
|
|
-d, --delete Delete a OBJECT record NAME\n\
|
|
-h, --help display this message\n\
|
|
-l, --list List the OBJECTS\n\
|
|
+ -n, --noheading Do not print heading when listing OBJECTS\n\
|
|
-m, --modify Modify a OBJECT record NAME\n\
|
|
-r, --range MLS/MCS Security Range\n\
|
|
-R, --roles SELinux Roles (Separate by spaces)\n\
|
|
@@ -245,33 +391,40 @@
|
|
#
|
|
#
|
|
try:
|
|
- objectlist=("login", "user", "port")
|
|
- input=sys.stdin
|
|
- output=sys.stdout
|
|
- serange="s0"
|
|
- selevel="s0"
|
|
- roles=""
|
|
- seuser=""
|
|
- type=""
|
|
- add=0
|
|
- modify=0
|
|
- delete=0
|
|
- list=0
|
|
+ objectlist = ("login", "user", "port")
|
|
+ input = sys.stdin
|
|
+ output = sys.stdout
|
|
+ serange = ""
|
|
+ port = ""
|
|
+ proto = ""
|
|
+ selevel = ""
|
|
+ setype = ""
|
|
+ roles = ""
|
|
+ seuser = ""
|
|
+ heading=1
|
|
+
|
|
+ add = 0
|
|
+ modify = 0
|
|
+ delete = 0
|
|
+ list = 0
|
|
if len(sys.argv) < 3:
|
|
usage("Requires 2 or more arguments")
|
|
|
|
- object=sys.argv[1]
|
|
+ object = sys.argv[1]
|
|
if object not in objectlist:
|
|
usage("%s not defined" % object)
|
|
|
|
- args=sys.argv[2:]
|
|
+ args = sys.argv[2:]
|
|
gopts, cmds = getopt.getopt(args,
|
|
- 'adlhms:R:r:t:v',
|
|
+ 'adlhmnp:P:s:R:r:t:v',
|
|
['add',
|
|
'delete',
|
|
'help',
|
|
'list',
|
|
'modify',
|
|
+ 'noheading',
|
|
+ 'port=',
|
|
+ 'proto=',
|
|
'seuser=',
|
|
'range=',
|
|
'roles=',
|
|
@@ -282,88 +435,95 @@
|
|
if o == "-a" or o == "--add":
|
|
if modify or delete:
|
|
usage()
|
|
- add=1
|
|
+ add = 1
|
|
|
|
if o == "-d" or o == "--delese":
|
|
if modify or add:
|
|
usage()
|
|
- delete=1
|
|
+ delete = 1
|
|
if o == "-h" or o == "--help":
|
|
usage()
|
|
|
|
+ if o == "-n" or o == "--nohead":
|
|
+ heading=0
|
|
+
|
|
if o == "-m"or o == "--modify":
|
|
if delete or add:
|
|
usage()
|
|
- modify=1
|
|
+ modify = 1
|
|
|
|
if o == "-r" or o == '--range':
|
|
- serange=a
|
|
+ serange = a
|
|
+
|
|
+ if o == "-P" or o == '--proto':
|
|
+ proto = a
|
|
|
|
if o == "-R" or o == '--roles':
|
|
- roles=a
|
|
+ roles = a
|
|
|
|
if o == "-t" or o == "--type":
|
|
- type=a
|
|
+ setype = a
|
|
|
|
if o == "-l" or o == "--list":
|
|
- list=1
|
|
+ list = 1
|
|
|
|
if o == "-s" or o == "--seuser":
|
|
- seuser=a
|
|
+ seuser = a
|
|
|
|
if o == "-v" or o == "--verbose":
|
|
- verbose=1
|
|
+ verbose = 1
|
|
|
|
if object == "login":
|
|
- OBJECT=loginRecords()
|
|
+ OBJECT = loginRecords()
|
|
|
|
if object == "user":
|
|
- OBJECT=seluserRecords()
|
|
+ OBJECT = seluserRecords()
|
|
|
|
if object == "port":
|
|
- OBJECT=portRecords()
|
|
+ OBJECT = portRecords()
|
|
|
|
if list:
|
|
- OBJECT.list()
|
|
+ OBJECT.list(heading)
|
|
sys.exit(0);
|
|
|
|
if len(cmds) != 1:
|
|
usage()
|
|
|
|
- name=cmds[0]
|
|
+ target = cmds[0]
|
|
|
|
if add:
|
|
if object == "login":
|
|
- OBJECT.add(name, seuser, serange)
|
|
+ OBJECT.add(target, seuser, serange)
|
|
|
|
if object == "user":
|
|
- rlist=roles.split()
|
|
- print rlist
|
|
- OBJECT.add(name, rlist, selevel, serange)
|
|
+ rlist = roles.split()
|
|
+ if len(rlist) == 0:
|
|
+ raise ValueError("You must specify a role")
|
|
+ OBJECT.add(target, rlist, selevel, serange)
|
|
|
|
if object == "port":
|
|
- OBJECT.add(name, type)
|
|
+ OBJECT.add(target, proto, serange, setype)
|
|
|
|
- OBJECT.list()
|
|
sys.exit(0);
|
|
|
|
if modify:
|
|
if object == "login":
|
|
- OBJECT.modify(name, seuser, serange)
|
|
+ OBJECT.modify(target, seuser, serange)
|
|
|
|
if object == "user":
|
|
- rlist=roles.split()
|
|
- print rlist
|
|
- OBJECT.modify(name, rlist, selevel, serange)
|
|
+ rlist = roles.split()
|
|
+ OBJECT.modify(target, rlist, selevel, serange)
|
|
|
|
if object == "port":
|
|
- OBJECT.modify(name, type)
|
|
+ OBJECT.modify(target, proto, serange, setype)
|
|
sys.exit(0);
|
|
- OBJECT.list()
|
|
sys.exit(0);
|
|
|
|
if delete:
|
|
- OBJECT.delete(name)
|
|
+ if object == "port":
|
|
+ OBJECT.delete(target, proto)
|
|
+ else:
|
|
+ OBJECT.delete(target)
|
|
sys.exit(0);
|
|
usage()
|
|
|
|
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/tests/semanage_test policycoreutils-1.29.2/semanage/tests/semanage_test
|
|
--- nsapolicycoreutils/semanage/tests/semanage_test 1969-12-31 19:00:00.000000000 -0500
|
|
+++ policycoreutils-1.29.2/semanage/tests/semanage_test 2005-12-27 14:40:02.000000000 -0500
|
|
@@ -0,0 +1,67 @@
|
|
+#!/bin/sh -x
|
|
+#
|
|
+# This is a test script for the semanage command
|
|
+#
|
|
+echo "
|
|
+
|
|
+******************** semanage List Failue test ************************
|
|
+"
|
|
+semanage -l
|
|
+echo "
|
|
+
|
|
+******************** semanage Mapping test ************************
|
|
+"
|
|
+echo " * Mapping List test"
|
|
+semanage login -l
|
|
+echo " * Add mapping exist test"
|
|
+semanage login -a root
|
|
+echo " * Add new test"
|
|
+echo " * Add selinux login to selinux user mapping, username wrong"
|
|
+semanage login -a semanage_test1
|
|
+userdel -r semanage_test1 2> /dev/null
|
|
+useradd semanage_test1
|
|
+echo " * Add selinux login to selinux user mapping, Bad SELinux User"
|
|
+semanage login -a -s BadUser semanage_test1
|
|
+echo " * Add selinux login to selinux user mapping, username correct"
|
|
+semanage login -a semanage_test1
|
|
+semanage login -l
|
|
+userdel -r semanage_test1
|
|
+echo " * remove selinux login to selinux user mapping, username wrong"
|
|
+semanage login -d semanage_test2
|
|
+echo " * remove selinux login to selinux user mapping, username correct"
|
|
+semanage login -d semanage_test1
|
|
+semanage login -l
|
|
+
|
|
+echo "
|
|
+
|
|
+******************** semanage SELinux User test ************************
|
|
+"
|
|
+echo " * SELinux User List test"
|
|
+semanage user -l
|
|
+echo " * Add SELinux User exist test: Fail because root exist"
|
|
+semanage user -a -R user_r root
|
|
+echo " * Add SELinux User exist test: Fail because no role specified"
|
|
+semanage user -a -r s0 semanage_test1
|
|
+echo " * Add selinux user semanage_test1: Success"
|
|
+semanage user -a -R user_r -r s0 semanage_test1
|
|
+semanage user -l
|
|
+echo " * Modify selinux user semanage_test1 Failue bad range"
|
|
+semanage user -m -r BadRange semanage_test1
|
|
+echo " * Modify selinux user semanage_test1 Failue bad role"
|
|
+semanage user -m -R BadRole semanage_test1
|
|
+echo " * Modify selinux user semanage_test1"
|
|
+semanage user -m -r s0:c1,c5 semanage_test1
|
|
+semanage user -l
|
|
+echo " * Delete selinux user semanage_test2: Fail does not exist"
|
|
+semanage user -d semanage_test2
|
|
+echo " * Delete selinux user semanage_test1"
|
|
+semanage user -d semanage_test1
|
|
+semanage user -l
|
|
+
|
|
+#echo "
|
|
+#
|
|
+#******************** semanage SELinux ports test ************************
|
|
+#"
|
|
+semanage port -l
|
|
+semanage port -a -P tcp 123456
|
|
+semanage port -d -P tcp 123456
|